Figure 10- 49 Branch
The branch condition inside loc_2903E8E6 is R0. If R0 == 0, then branch left, meaning this
address doesn’t support iMessage. Otherwise branch right and reach figure 10-50.
Figure 10- 50 Branch
The branch condition in figure 10-50 is still R0. If R0 == 2 then branch left, iMessage is not
supported. Otherwise branch right and go back to figure 10-46. Note, these 3 blocks of code
don’t change the value of R8. As a result, R0 at the bottom of loc_2903E8E6 is very import; as
long as R0 != 0 && R0 != 2, the branch in figure 10-46 is useless. That’s because R11 keeps
increasing while R8 stays the same, MobileSMS will eventually branch left and come to the
conclusion that iMessage is supported. So judging from all information above, we can think of
R0 as the essential branch condition in this loop. Do you still remember what I’ve just said? “If
different branches result in writing different values into R5, we need to figure out what’s the
branch condition, and this condition is our target data source”. Thus, R0 is the 14th data source.
Next, let’s check with LLDB what are these objc_msgSends in figure 10-49, as well the